Grin transactions are interactive because without input of the receiver there is no way to make sure that the sender cannot spend the coins, i.e. we need to delink the sender from the commit.
But this does not have to be done by the receiver. First let us look at a simple case where Alice wants to send funds to Bob and Carol is online to delink Alice from the transaction output. In addition Alice, Bob and Carol have all published a public key P and posses the corresponding private key x:
P_i = x_i * U
where U is a curvepoint that is different from the two points (L,G) used in the Pedersen commits
C = vL + sG
Note that I often will use P_i as a number and not as a curvepoint. Equations below should be understood accordingly.
From these public keys shared secrets between all parties can be established.
s_ij = x_iP_j = x_jP_i
and these can be used as blinding factors in the transaction. Alice will set up the commit
C = v*L + s_AB * G + s_BC * G
and this commit can be signed by aggregating signatures from Alice and Carrol. It can be spent by Bob; or when Alice and Carrol collaborate.
This is already somewhat better than putting the money in a channel where both Alice and Bob can spent, but not really satisfactory as Bob needs to trust Carrol.
But there is no reason why only one person beyond Alice should be involved. If we build a system where anyone can add information to delink Alice this would be secure as long as only one of the signers is honest.
This would be set up like this:
- Alice provides an initial commit
C = v *L + s_AB * G and a Hash H©
- Other participants can now add to this commit by sending a public key P_i and signing the Hash H to (U,P_i) proving they know x_i.
- These then commit I_i = x_i * G (which is not P_i = x_i *U!). The same signature above verifies that x_i is the same as for the public key as the signature also signs H to (G, I_i)
- Alice adds to the commit C
C += P_B * I_i = s_Bi * G
- After some while Alice finalises C and asks all participants for a valid signature to the transaction, and aggregates them. If it does not validate the people that did not sign correctly are dropped and step 5 is repeated without them.
- Alice pushes the signed transaction to the chain and gives Bob P = Sum(P_i) and this allows Bob to spent the output.
For Alice to spent the output all people involved in delinking her need to cooperate. The delinkers can never spent without Alice even when they cooperate. While this is not 100% safe only one honest participant already guarantees safety. The idea is decentralised and should be better than having a single trusted third party. For smaller amounts this should be secure enough. Plus it is easy to find public keys for anyone that has a BTC address from which there was a transaction. Then girn could be sent non-interactive directly to a BTC address, just giving people in BTC some grin to play with it if they want.
Are there any problems I am missing?